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(57)Abstract: 

PROBLEM TO BE SOLVED: To relieve the overhead of an 
authentication server by applying simple authentication at the next 
time with respect to a user that has been authenticated to conduct 
authentication in a short time without degrading a security level. 
SOLUTION: When a client 111 makes a request of connection with 
respect to a server 113 to an authentication server 112, the 
authentication server 112 authenticates the user, based on 
identification information and authentication information. 
Furthermore, the server 112 stores sets of user information 131, 
132 consisting of addresses of transmission source and destination 
of the user, a port number and a session key generated at the 
authentication and stores number of connections in use applied by 
the user at authentication or connection information for a 
connection existence time, and conducts simple authentication of 
the user based on the connection information and the user 
information, when it is required to authenticate the user again. The 
authentication by using a certificate 121 is conducted only for a 
first connection request. 
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Pertinent Description ([ 0009 ]-[ 0017 ] ) 
[0009] 

Fig. 3 is a flowchart of normal authentif ication processing 
first performed according to the present invention. Fig. 4 is a 
flowchart showing simple authentif ication processing, illustrating 
an embodiment of the present invention. Fig. 3 and Fig. 4 are used 
to explain processing sequences that take place between a client, 
an authentif ication server, and a server. In Fig. 3, a server 
connection request is received from a user (step S301) , and a client 
111 sends a normal authentif ication request to the authentif ication 
server 112 (step S302) . Then, when a certification, which has been 
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distributed to the client 111 , is sent to the authentif ication server 
112 (step S303), the authentif ication server 112 receives the 
certification (step S305) and then verifies the certification by 
comparing it against a certification which it itself has been holding 
(step S306), If the certifications do not match each other, then 
an authentif ication failure is notified to the client 111, and the 
connection with the client 111 is disconnected (step S317). By 
contrast , if the certifications do match, then a response indicating 
an authentif ication success is sent to the client 111 (step S307), 
andasessionkey is generated (stepS309) . V/hen the authentif ication 
succeeds (step S308), the session key is generated on the client 
111 side (step S310), and an address, a port number, the session 
key, a flag, a number of connections or a connection duration time 
and other such information are configured as user information 131 
and sent to the authentif ication server 112 (step S311) . Then, the 
user information 131 is added to a list (step S313). Referring to 
Fig. 5 , explanation will be given regarding a flowchart with details 
pertaining to configuration of these settings. Fig. 3 depicts the 
authentif ication processing (step S306) in a simple fashion, but 
in actuality this processing also involves multiple sequences for 
exchanging random numbers and the like, which will be explained 
below using Fig. 8. Next, the authentif ication server 112 performs 
processing (steps S312, 314) to configure user information 132, 
which is shown in Fig. 6, based on the above-mentioned information 
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received, and relays the connection request from the client ill 
to the server 113 (step S315) . If the communications with the server 
113 have ended (step S316) , then the connection between the client 
side and the authentif ication server side is disconnected (steps 
S318, 317). 

[0010] 

Fig. 8 is a detailed sequence chart of the authentif ication 
processing in Fig. 3, which is performed when the nojnnal 
authentif ication is performed. In Fig. 3, after the certification 
which was distributed to the client side has been sent (step S303) , 
the processing then moves to Fig. 8, where a random number is generated 
and that random number is sent to the authentif ication server side 
( step S801 ) . On the authentif ication server side the received random 
number is encoded using an encoding key which the authentif ication 
server 112 itself holds, and this is then sent to the client side 
( step S802 ) . The encoded random number is then received on the client 
side (step S803) and the random nximber is decoded (step S804), and 
then the decoded random number is compared against the random number 
which the client itself has (step S805). If these random numbers 
do match each other, then the encoded random number is once again 
sent to the authentif ication server side (step S806). The 
authentif ication server side then receives the encoded random number 
(step S807), and compares it against the random number encoded in 
the beginning at step S802. If these do match each other, and if 
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the content of the certification sent from the client side is compared 
against the content which the authentif ication server 112 itself 
is holding and these also match each other, then the authentif ication 
is judged to be successful and the authentif ication success is sent 
to the client side (step S307) . When the authentif ication success 
is received on the client side (step S308), the session key is then 
generated (step S310) and communications after that point are 
performed with the session key. 
[0011] 

Next, Fig. 4 is used to explain simple authentif ication 
processing in accordance with the present invention . When the server 
connection request is received from the user (step S401) , the client 
111 compares the address and the port number of the server which 
is the connection destination, and the above-mentioned user 
information 131 which has been stored. If these do match each other, 
then it is assumed that the authentif ication for connecting to this 
destination is complete, and a simple authentif ication request is 
sent to the authentif ication server 112 (step S402) . On the other 
hand, when the authentif ication server 112 receives the simple 
authentif ication request from the client 111 (step S403), it then 
performs user information confirmation processing (step S404). 
Details of this confirmation processing are described below using 
Fig. 7 . In order for the authentif ication server 112 to distinguish 
whether this is the normal authentif ication or the simple 
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authentif ication, the address and port number of the client which 
is acting as the connection source are compared against the user 
information 132 which the authentif ication server 112 is holding- 
If these do not match each other, then the authentif ication failure 
is notified to the client 111, and the connection with the client 
111 is disconnected (step S418). 
[0012] 

If they do match each other, then the client 111 generates 
a random number and this is encoded using the session key for the 
user information 131 held in the client 111 (step S405) . The random 
number and the encoded random number are then sent to the 
authentif ication server 112 (step S406). The authentif ication 
server 112 receives these (step S407) , and then decodes the encoded 
random number using the session key of the user information 132 
which it itself is holding (step S408) , and then compares it against 
the random number which was sent to it simultaneously (step S409) . 
If these do not match each other, then the authentif ication failure 
is sent to the client 111, and the connection to the client 111 
is disconnected (step S418) . If they do match, then the 
authentif ication success is sent to the client 111 (step S410) . 
When the client 111 receives the authentif ication success (step 
S411), it then generates a new session key from the random number 
and the encoded random number (step S413) and stores the new session 
key in the user information 131 (step S415). Meanwhile, the 
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authentif ication server 112 also generates a session key at the 
same time as the client 111 (step S412) and stores this in the user 
information 132 (step S414) - Then, the authentif ication server 112 
relays the connection request from the client 111 to the server 
113 (step S416) . When the communications with the server 113 have 
ended (step S417), the connection between the client side and the 
authentif ication server side are then disconnected (steps S419, 
S418) . 

[0013] 

The foregoing is the simple authentif ication processing of 
the present invention, which is performed the second time and 
thereafter. Comparison between the normal authentif ication 
processing shown in Fig. 3 and Fig. 8 and the simple authentif ication 
processing of the present invention shown in Fig. 4 will clarify 
that in the normal authentif ication the certification is sent and 
received but in the simple authentif ication the certification is 
omitted and the simple authentif ication request suffices whereby 
reducing the number of times communications are performed by 1 time. 
Furthermore, in the normal authentif ication the random number is 
generated on the client side, the random number itself is sent and 
received, and then the random numbers are compared on the client 
side. Thus, the random numbers must be communicated 3 times. In 
the simple authentif ication, however, the random number is generated 
on the client side, but the encoded random number is sent to the 
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authentif ication server and the comparison of the random numbers 
is performed on the authentif ication server side. Thus, the 
communication only has to be performed 1 time . Furthermore , whereas 
valid term information is sent and received in the normal 
authentif ication, in the simple authentif ication the valid term 
information of the user information has already been sent and received 
at the time when the user information confirmation processing is 
performed (stepS404) . Thus, extra communications are not necessary . 
Ultimately, the total number of communications decreases by 4: once 
in transmission of the certification, twice in the transmission 
to compare the random numbers, and once in the transmission of the 
valid term of the user information. As a result, the user 
authentif ication can be performed during a short duration of time, 
which also reduces the overhead for the authentif ication server. 
Moreover, when performing the simple authentif ication, the encoded 
random number is used as the subsequent session key. Therefore, 
the authentif ication can be achieved in a short duration of time 
without sacrificing the level of security. 
[0014] 

Fig. 5 is a flowchart showing user information setting 
processing performed at the client. Fig. 5 is used to explain a 
sequence of processing for setting the user information 131 on the 
client 111 side. In the case where the client 111 has succeeded 
with the normal authentif ication, the client 111 then petitions 
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the authentif ication server 112 for either a number of connections 
for it to use, or for a connection duration time to the connection 
destination (steps S502, S504). In the case where the client has 
petitioned for a nximber of connections for it to use, the user 
information remains valid until the petitioned number of connections 
are established (step S503). Furthermore, in the case where the 
client has petitioned for the connection duration time to the 
connection destination, the user information remains valid during 
the connection to the given connection destination server (step 
S505 ) . After that , the address and the port number of the connection 
destination server, the session key that was generated, and the 
valid term are added to the list (step S506). 
[0015] 

Fig. 6 is a flowchart showing user information setting 
processing which takes place at the authentif ication server. Fig. 
6 is used to explain a processing sequence for setting the user 
information 132 at the authentif ication server 112. In the case 
where the normal authentif ication has succeeded, the 
authentif ication server 112 receives the valid term information 
of the user information from the client 111 (step S601), and then 
validates the number of connections or the connection duration time 
in the user information 132 based on the received information (step 
S603, S604). After that, the address and the port number of the 
connection source client, the session key that was generated, and 
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the valid term are added to the list as the user information (step 
S605) . 

[0016] 

Fig. 7 is a flowchart showing user information confirmation 
processing which takes place at the authentif ication server. 
Finally. Fig. 7 is used to explain a method of confirmation of the 
user information at the authentif ication server 112. In the case 
of the simple authentif ication, the authentif ication server 112 
confirms whether or not the previously authentified user and the 
connection source are the same (as determined by the presence of 
the address and the port number) (step S701). After that, it must 
then be confirmed whether or not the content of the user information 
132 is still valid ( steps S702 , S703 , S704 ) . At the authentif ication 
server 112, when performing the simple authentif ication , the user 
information is deleted from the list (step S705) if the validity 
has run out (step S703) or if the simple authentif ication has failed 
(stepS707) . In the case where the simple authentification has failed, 
the client 111 deletes the user information from the list. 
[0017] 

The present invention can be realized anywhere by converting 
into a program each of the operations in the simple authentification 
sequence chart shown in Fig. 4, the flowchart of the client's user 
information setting processing shown in Fig. 5, the flowchart of 
the authentification server's user information setting processing 
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shown in Fig, 6, the flowchart of the user information confirmation 
processing shown in Fig. 7, the normal authentif ication sequence 
chart shown in Fig. 3, and the sequence chart showing the comparison 
of the random numbers when performing the normal authentif ication 
as shown in Fig. 8, and then storing this converted program onto 
a CD-ROM or hard disk or other storage medium so that these storage 
media can be loaded and executed on a freely selected server and 
client terminal in a communications system. 
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